CVE-2026-48900: Joomla! Auth Bypass Vulnerability

CVE-2026-48900 Overview

CVE-2026-48900 affects Joomla! and stems from an improper access check in the com_scheduler component. Low privileged users can edit the task types of existing scheduler tasks without proper authorization. The flaw maps to [CWE-284: Improper Access Control] and impacts the core scheduler functionality used to manage automated tasks. Joomla published Security Advisory #1048 to address the issue.

Critical Impact

Authenticated low privileged users can modify scheduler task types in Joomla!, enabling unauthorized changes to automated task behavior and potential downstream integrity impact on the site.

Affected Products

• Joomla! CMS core installations using com_scheduler
• Joomla! sites where low privileged backend users have any scheduler-related access
• Joomla! deployments that have not applied the fix from Security Advisory #1048

Discovery Timeline

• 2026-05-26 - CVE-2026-48900 published to the National Vulnerability Database (NVD)
• 2026-05-26 - Last updated in NVD database

Technical Details for CVE-2026-48900

Vulnerability Analysis

The vulnerability lives in the Joomla! scheduler component, com_scheduler. Joomla! enforces granular ACLs over which users can create, edit, and run scheduler tasks. The access check that governs editing of task types is incomplete. As a result, a low privileged authenticated user can change the task type assigned to an existing scheduler task. Changing the task type alters what the scheduler will execute when the task runs. The Joomla advisory categorizes the issue as incorrect access control in the core scheduler.

Root Cause

The root cause is a missing or insufficient privilege validation step on the controller path that handles task type modifications. The component verifies that the user is authenticated and has some access to scheduler views, but it does not re-check whether the user holds the privilege required to alter the task type field. This is a classic broken access control pattern aligned with [CWE-284], where authorization is enforced on entry to a feature but not on each sensitive action within it.

Attack Vector

The attack vector is network based and requires a valid backend account with low privileges. An attacker authenticates to the Joomla! administrator interface, then issues a task edit request targeting an existing scheduler task and changes its task type to a different handler. No user interaction is required from a higher privileged user. The change persists and influences subsequent scheduler runs. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, and no public proof-of-concept exploit is referenced in the advisory.

No verified exploitation code is published for this CVE. Refer to the Joomla Security Advisory #1048 for vendor-confirmed technical details.

Detection Methods for CVE-2026-48900

Indicators of Compromise

• Unexpected modifications to entries in the #__scheduler_tasks table, particularly changes to the type column on existing rows
• Joomla! administrator audit log entries showing task edits performed by users who are not site administrators or scheduler managers
• Scheduler tasks executing handlers that do not match their original configured purpose

Detection Strategies

• Review the Joomla! action logs for com_scheduler edit events and correlate the acting user against expected scheduler administrators
• Compare current scheduler task definitions against a known-good baseline export to identify unauthorized task type changes
• Inspect web server access logs for POST requests to administrator endpoints containing option=com_scheduler and task=task.save or task.edit originating from low privileged accounts

Monitoring Recommendations

• Enable and centrally collect Joomla! administrator action logs, then alert on scheduler task edits performed by non-administrator roles
• Monitor the #__scheduler_tasks table for changes to the type column outside of scheduled maintenance windows
• Track failed and successful authentications to /administrator and pair them with subsequent scheduler component activity

How to Mitigate CVE-2026-48900

Immediate Actions Required

• Apply the Joomla! core update referenced in Security Advisory #1048
• Audit all existing scheduler tasks and revert any task type values that do not match the documented configuration
• Review backend user accounts and remove unnecessary access to the scheduler component for low privileged roles

Patch Information

Joomla! addressed the incorrect access control in com_scheduler in the core update described in Joomla Security Advisory #1048. Administrators should upgrade to the fixed Joomla! release identified in that advisory and verify the upgrade through the Joomla! administrator dashboard.

Workarounds

• Restrict access to the Joomla! administrator interface using network-level controls such as IP allowlisting or a VPN until the patch is applied
• Temporarily remove edit permissions on com_scheduler from all non-administrator user groups via the global ACL configuration
• Disable the scheduler component if it is not in active use, which prevents task type modification entirely

# Configuration example - tighten com_scheduler ACL in Joomla administrator
# System > Global Configuration > Permissions > Scheduled Tasks
# For each non-administrator group, set:
#   Configure ACL & Options : Denied
#   Access Administration Interface : Denied
#   Create / Delete / Edit / Edit State / Edit Own : Denied